In an organization such as a business enterprise, there are various different privileges which can be associated with various different employees. For example, virtually all of the employees will be assigned the privilege of physical access to the building in which they work. On the other hand, there are privileges which will be available to some employees but not others. For example, employees who deal with financial aspects of the organization will typically be granted the privilege of access to the financial software used by the organization, whereas other employees will not have access to this software. Consequently, organizations face the issue of how to associate a variety of different privileges to a variety of different employees in an efficient and accurate manner.
A common traditional approach is to attempt to define a hierarchical model of the enterprise, primarily in terms in location, job function and/or organizational information. As a simple hypothetical example, a traditional enterprise may have an East facility, a Central facility and a West facility. Each of these three physical facilities may have a respective section of the overall sales department, a respective section of the overall production department, and respective section of the overall finance department. Each such section of each department may have a subset of employees who are identified as the clerical group of that department. Thus, there would be nine separate and distinct clerical groups, including the East sales clerical group, the East production clerical group, the East finance clerical group, the Central sales clerical group, the Central production clerical group, the Central finance clerical group, the West sales clerical group, the West production clerical group, and the West finance clerical group.
If management decided that all of the clerical employees in the organization were entitled to enjoy some new privilege, then a complex and manually intensive procedure is followed in order to associate the new privilege with each of the nine different groups of clerical employees. Of course, this hypothetical example is much simpler than would be the case in a typical large corporation, especially where the employees who are to receive the new privilege fall into a number of different categories, rather than just a single category such as “clerical”. The situation is even more problematic where the established hierarchy does not include a block or node corresponding to the particular group of employees to whom the new privilege is to be associated. In that case, it may be necessary to associate the privilege to some or all of those employees on an employee-by-employee basis, which is extremely cumbersome and prone to errors.
The traditional approach to administration of privileges is thus based on a model that does not accurately represent the enterprise in question, and that results in inefficient administrative and/or data management. The traditional approach is practical only for small businesses, or for businesses that assign privileges only on a high-level basis, or otherwise abstract the data structure describing the business. A further consideration is that the traditional approach typically grants several privileges to a specified group of employees, without regard to the fact there are different persons who are responsible for making the decisions regarding which employees will be allowed to enjoy the respective different privileges. A by-product of the traditional approach is that, due to abstraction of business structures in an attempt to administer a complex hierarchy, tradeoffs are commonly made that often lead to weaker security.